Full Report
The cyber threat environment in Australia and New Zealand experienced a new escalation throughout 2025, driven by a surge in initial access sales, ransomware operations, and high-impact data breaches. According to our Threat Landscape Report Australia and New Zealand 2025, threat activity observed between January and November 2025 reveals a complex and commercialized underground ecosystem, where compromised network access is actively bought, sold, and exploited across multiple sectors. The threat landscape report identifies a persistent focus on data-rich industries, with threat actors disproportionately targeting Retail, Banking, Financial Services, and Insurance (BFSI), Professional Services, and Healthcare organizations. These sectors continue to attract attackers due to the volume of sensitive personally identifiable information (PII), financial data, and downstream access opportunities they offer. Growth of Initial Access Sales in 2025 A central finding of the report is the continued growth of the initial access market. Cyble Research and Intelligence Labs (CRIL) documented 92 instances of compromised access sales affecting organizations in Australia and New Zealand during 2025. Retail organizations were the most heavily targeted, accounting for 31 incidents, or approximately 34% of all observed activity. This figure is more than three times higher than that of the next most targeted sector. The BFSI sector recorded nine compromised access listings, followed by Professional Services with seven incidents. Combined, these three sectors accounted for more than half of all initial access listings observed in the region during the reporting period. This concentration reflects a strategic approach by initial access brokers. Retail and BFSI organizations routinely handle large volumes of customer data and payment information, making them valuable targets for monetization or follow-on ransomware attacks. Professional Services firms, meanwhile, often provide access to client environments, creating opportunities for supply chain exploitation. A Fragmented but Active Access Brokerage Market Analysis of the compromised access marketplace reveals a highly fragmented ecosystem rather than one dominated by a small number of major actors. The threat actor known as “cosmodrome” emerged as the most prolific seller of compromised access during the period, followed closely by an actor operating under the alias “shopify.” Despite their activity, these actors did not control the market. The top seven most active sellers were collectively responsible for only about 26% of the observed access listings. The remaining activity originated from dozens of individual threat actors who posted listings once or twice, suggesting a low barrier to entry and a marketplace populated by both specialized brokers and opportunistic participants. This structure indicates that initial access sales have become an accessible revenue stream for a wide range of threat actors, reinforcing the resilience and scalability of the underground economy. High-Impact Incidents Highlight Broader Risks Several notable incidents documented in the threat landscape report illustrate how initial access is translated into real-world impact. In June 2025, the threat group Scattered Spider was suspected of orchestrating a cyberattack against a major Australian airline. Attackers reportedly gained unauthorized access to a customer service portal, resulting in a data breach that exposed records belonging to nearly six million customers. The compromised data included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. The airline confirmed that more sensitive information, such as credit card details, financial records, and passport data, was not affected because it was not stored in the breached system. Investigators believe the incident may be part of a broader campaign targeting the aviation sector. In March, threat actor “Stari4ok” advertised the sale of unauthorized access to a large Australian retail chain on the Russian-language cybercrime forum Exploit. The actor claimed the access involved a hosting server containing approximately 250 GB of data, including a 30 GB SQL database with a user table of around 71,000 records. Based on the claimed annual revenue of USD 2.6 billion and the described industry, the victim appears to be a major retailer, although this has not been independently confirmed. The access was listed for auction with a starting price of USD 1,500. Another listing emerged in May when the threat actor “w_tchdogs” offered unauthorized access to a portal belonging to an Australian telecommunications provider on the English-language forum Darkforums. The actor claimed the access provided entry to domain administration tools and critical network information. The listing price was USD 750. Data Breaches and Hacktivist Activity Not all incidents were tied directly to access sales. In mid-April, unidentified threat actors gained unauthorized access to the IT systems of a prominent accounting firm operating across Australia and New Zealand. The organization publicly confirmed the breach, stating that some data may have been compromised and that an investigation was ongoing. While business operations continued, the firm warned clients of potential phishing attempts and obtained court injunctions in both countries to prevent the dissemination of affected data. As of the time of reporting, no threat group had claimed responsibility. Hacktivist activity also remained visible. In January 2025, the group RipperSec claimed to have accessed an optical-fiber network monitoring device belonging to an Australian cable and media services provider. The device was reportedly no longer supported by its vendor. As proof, the group released images suggesting internal defacement and possible data manipulation. Want a deeper insight into these threats? Check out Cyble’s Australia and New Zealand Threat Landscape Report 2025 or schedule a demo to see check out how Cyble can protect your organization against these threats. The post Initial Access Sales Accelerated Across Australia and New Zealand in 2025 appeared first on Cyble.
Analysis Summary
# Incident Report: Escalation of Cyber Threats via Initial Access Sales in ANZ (Jan-Nov 2025)
## Executive Summary
The cyber threat environment in Australia and New Zealand escalated significantly between January and November 2025, characterized by a surge in monetized initial access sales, ransomware operations, and major data breaches. Retail, BFSI, and Professional Services were disproportionately targeted. Key incidents included a major airline data breach affecting nearly six million customers and several sales of compromised network access listed on underground forums. The access brokerage market remains highly fragmented, indicating a low barrier to entry for threat actors.
## Incident Details
- **Discovery Date:** Data gathered from January to November 2025.
- **Incident Date:** Spans January 2025 to November 2025.
- **Affected Organization:** Incidents against a **Major Australian Airline**, a **Large Australian Retail Chain**, an **Australian Telecommunications Provider**, and a **Prominent Accounting Firm** were detailed, alongside general market activities.
- **Sector:** Retail (34% of access sales), BFSI, Professional Services, Aviation, Telecommunications, and Media Services.
- **Geography:** Australia and New Zealand (ANZ).
## Timeline of Events
| Date/Time | Event Summary | Vector / Attack Group | Impact / Scope | Response Actions |
| :--- | :--- | :--- | :--- | :--- |
| **January 2025** | Hacktivist group claimed access to an optical-fiber network monitoring device. | Exploitation of an unsupported network monitoring device. (RipperSec) | Suggested internal defacement and possible data manipulation on a cable/media provider system. | Proof released via images suggesting compromise. Severity unknown. |
| **March 2025** | Unauthorized access to a large Australian retail chain was advertised for sale on a cybercrime forum. | Compromised Hosting Server Access. (Threat Actor: “Stari4ok”) | Access listed for sale, potentially exposing 250 GB of data, including a 30 GB SQL database with ~71,000 user records. Starting bid: USD 1,500. | Public listing for auction; victim identity unconfirmed. |
| **Mid-April 2025** | Unidentified actors gained unauthorized access to a prominent accounting firm's IT systems. | Unknown: Gained unauthorized access to IT systems. | Data may have been compromised. Business operations continued. | Firm publicly confirmed breach, investigation ongoing, warned clients of phishing, and obtained court injunctions to prevent data dissemination. |
| **May 2025** | Unauthorized access to an Australian telecommunications provider was offered for sale. | Portal Access leading to Domain Administration tools. (Threat Actor: “w\_tchdogs”) | Access claimed to include domain administration tools and critical network information. Listing price: USD 750. | Public listing on Darkforums. |
| **June 2025** | Major cyberattack targeting a major Australian airline resulted in a significant data breach. | Unauthorized access to a customer service portal, suspected to be orchestrated by Scattered Spider. | Exposure of records for nearly **six million customers** (names, emails, phone numbers, dates of birth, frequent flyer numbers). Sensitive data (credit cards, passports) confirmed *not* affected. | Airline confirmed breach; investigation suggested a broader aviation sector campaign. |
| **Jan – Nov 2025 (Ongoing)** | 92 instances of compromised access sales documented across the region. | Varied (Initial Access Brokers: "cosmodrome" most prolific). | Primarily targeted Retail (31 sales), BFSI (9 sales), and Professional Services (7 sales). | Access actively bought and sold on underground forums, indicating a commercialized ecosystem. |
## Attack Methodology
The report focuses primarily on the **Initial Access** phase and the brokering of that access:
- **Initial Access:** Sales included compromised **hosting servers**, **customer service portals**, and access providing entry to **domain administration tools**.
- **Lateral Movement (Implied):** The intended outcome of purchased access often involves downstream exploitation, such as ransomware deployment or supply chain exploitation (via Professional Services access).
- **Exfiltration/Impact:** Specific documented impacts include data exposure of PII (customer records) and the sale of large data troves (up to 250 GB).
- **Attack Actors:** The market is fragmented, but key brokers identified include "cosmodrome" and "shopify." The airline attack was *suspected* to be run by **Scattered Spider**.
## Impact Assessment
- **Financial:** Direct financial impact data is absent, but access sales ranged from USD 750 to USD 1,500 for specific listings, indicating a low initial cost for subsequent high-impact attacks (like ransomware).
- **Data Breach:** High volume PII breach at the airline (**~6 million customer records**). Large database sale advertised (250GB, 71k users) against a retailer.
- **Operational:** Direct operational impact details are sparse, though the accounting firm maintained operations during their breach investigation.
- **Reputational:** Significant reputational damage implied for the airline, telecom provider, and accounting firm due to confirmed or suspected breaches involving customer data.
## Indicators of Compromise
*Specific IoCs (IPs, Domains, Hashes) were not provided in the text, but behavioral/actor indicators are listed:*
- **Threat Actors Identified:** "cosmodrome," "shopify," "Stari4ok," "w\_tchdogs," and potentially **Scattered Spider**.
- **Targeted Platforms:** Customer service portals, hosting servers, network monitoring devices (unsupported).
## Response Actions and Public Disclosure (Observed)
- **Airline Breach:** Investigation launched, sensitive data confirmed not stored in the breached system.
- **Accounting Firm Breach:** Public confirmation of breach, warning sent to clients regarding potential phishing, and court injunctions secured to prevent data dissemination.
- **Access Sales:** Listings appeared on underground forums (Exploit, Darkforums), indicating the response often begins after the threat actor attempts to monetize the access.
## Lessons Learned
1. **Value of PII/Data Volume:** Retail and BFSI sectors remain the primary targets due to the volume and sensitivity of PII and financial data they hold.
2. **Low Barrier to Entry in Access Brokering:** The market is highly fragmented, with the top seven actors controlling only 26% of listings, suggesting that many opportunistic actors are successfully selling access.
3. **Supply Chain Risk:** Professional Services firms are targeted not only for their own data but also for providing downstream access opportunities to client environments.
4. **Exploitation of Legacy Systems:** Hacktivists targeted an **unsupported** monitoring device, highlighting hardware/software end-of-life (EOL) risks.
## Recommendations
1. **Segment Data Storage:** Ensure highly sensitive data (like credit card details, passports) are stored separately from customer-facing systems (like customer service portals) to limit impact during a breach, as seen with the airline incident.
2. **Strengthen Vendor/Access Monitoring:** Intensify monitoring on initial access vectors, particularly customer portals and hosting environments, as these are primary vectors being monetized by brokers.
3. **Supply Chain Assurance:** Implement strict security governance for third parties and client access points, given the inherent risk posed by Professional Services firms acting as gateways.
4. **Proactive Asset Management:** Prioritize patching or replacing vendor EOL/unsupported operational technology and monitoring equipment.